Guest Blog: The hidden cost of healthcare IT

Fellow blogger Tim Wilson recently mused about the true cost of deploying new health information systems. I asked Tim if I could share these musings with my readers on the eHealthMusings blog. He graciously agreed.

But there’s a hidden cost to HIS that’s often overlooked, and it’s related to security and privacy. Although digital systems can be made more secure than the old lock-and-key filing cabinets, they also add immense risk. We all know why: With a digital system, a breach can result in access to immense volumes of personal healthcare data.

To protect ourselves, we need to increase spending in two key areas: IT security and privacy training. Unfortunately, that’s not happening. Why? Because these added cost aren’t associated with improved system efficiencies and healthcare outcomes.

IT security is understood to be a critical concern in healthcare, but is cybersecurity spending keeping up? Well, no. According to Juniper Research, cross-organizational cybersecurity spend is expected to increase by an average of 9% per annum. Canada’s hospitals aren’t seeing that kind of growth in targeted IT spend for cybersecurity. A typical hospital CIO would no doubt say that—barring a specific initiative or rollout—a 9% budget increase year-over-year is excessive in any one IT area, security included.

And that CIO might have a point, because the big privacy breaches in hospitals often center on human activity, and not a technological failure. A recent study by U.S.-based cybersecurity software company Protenus found that insiders were responsible for 31% of the total number of healthcare breaches, and that almost 30% of privacy violations were repeat offenders.

The followup to that would naturally be to ask what the budgets are for workforce training on privacy. You can be sure of two things: those budgets are very low, and they also aren’t growing at 9% a year.

The answer is to maintain constant investment in both areas, and for the initiatives to be inter-related. But for that to happen there has to be a broad cultural shift that’s reflected in more rigorous legislation. The European Union’s General Data Protection Regulation (GDPR) requires privacy breach notification within 72 hours—far beyond the requirements of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).

With a more significant legal deterrent, one could argue that healthcare privacy training with organizations would be more effective, thus reducing the cost burden. As it stands, in Canada the legal repercussions for privacy breaches are minimal. A nurse in Alberta who was recently caught snooping on two individuals—she illegally accessed their health information 138 times over a three year period—was fined $3,000. She kept her job, and was ordered to take some “remedial privacy training.”

Back in May, a nurse at Grace Hospital in Winnipeg accessed emergency room data on hundreds of individuals. The motive, apparently, was “personal curiosity.” The nurse lost her job. End of story.

More recently, in June CarePartners in Ontario was hacked. The criminals claimed they had hundreds of thousands of patient records and related materials dating back to 2010. If CarePartners were to be found guilty of not properly safeguarding the data, as an organization they could be fined up to $500,000 (individuals max out at $100,000).

It’s extremely unlikely that CarePartners will be fined. And maybe that’s okay, because a fine is not necessarily the best approach. Instead, CarePartners could be ordered by the courts to commit to permanent and ongoing investments in improved security and training. (This would be far more rigorous than their current “Privacy Pledge” and the requirement that their workers sign a “Pledge of Confidentiality.”)

The three stories mentioned above have one thing in common: it wasn’t the healthcare organizations’ internal processes that figured out what was going on. In the case of Alberta, the problem was discovered because two patients requested access to their audit logs. At the Grace Hospital in Winnipeg, it was a manager who caught on to the inappropriate behaviour, and reported it. And at CarePartners, it was the criminals themselves who blew the lid on things, even contacting the media.

Which brings us to the necessary conclusion that there are a lot of digital health system breaches that aren’t being found in regular audits. Sadly, this has allowed for the laissez-faire attitude to continue. That serves CIOs, because it means they can keep a hold on their cybersecurity technology and training costs, while also maintaining or increasing investments in priority “high reward” areas that directly relate to improved system efficiencies and patient outcomes.

According to Juniper Research, over 33 billion records will be stolen by cybercriminals in 2023, an increase of 175% over the 12 billion compromised this year. A lot of those 146 billion records will be in healthcare. Among those that will be in Canada, rest assured that many will fly below the radar. The result is that the depth of the problem will be obscured, and the response won’t be as serious as it should be.

Ask yourself: are the training requirements in your organization for security and privacy becoming more rigorous? Is the training an ongoing, and recurrent phenomenon, designed to maintain awareness, or is it a one-off?

My guess is that your healthcare organization’s cybersecurity budget is an annual line item that, as a percentage of overall spend, is well below the steady increases in the overall threat level—unless a specific project is being funded. My guess too is that training is a one-time affair. You’ll see lots of signs reminding people to wash their hands. You won’t see many advisories reminding digital health workers to respect patient privacy.

Around the world, cybersecurity breaches are expected to result in over 146 billion records being stolen by 2023. The number of records breached annually will nearly triple over the next 5 years. And unless someone does something about the poor training and oversight, the situation will only get worse. The Protenus report stated clearly that “health systems accumulate risk that compounds over time if proper reporting and education do not occur.”

This is happening now in Canada’s hospitals and clinics, and without better training and stricter oversight it’s only going to get worse. The solution requires leadership and investment akin to how we approach hospital infection and safety. Imagine having a ward with a notice in a hallway bragging about the numbers of days since the last privacy breach. Imagine if privacy were understood to be part of the “continuum of care”—a reasonable idea, given the psychological and emotional damage that breaches cause patients.

It’s time for an honest discussion about what this kind of commitment will cost. Once that’s understood, it can be baked into budgets, and not treated as ad hoc spending, or addressed in a reactive basis after a crisis. Only that way can we keep Canadians as safe as possible from data breaches.

Tim Wilson is principal of T Wilson Associates. Follow him on Twitter: @TimothyEWilson